January 2022 - FreeIPA-users - Fedora Mailing-Lists

by lejeczek

Hi guys. If that can be a news for some - I'd like to share a finding: it's possible to have ipa-integrated Samba serving non-enrolled clients, both Linux & Windows, with passwords for authentication. (which has been long & will continue to be a must-have for me) Question for @devel - above I get with simply by switching to 'LEGACY' - is it possible to do that but only for IPA-Samba(+ whatever required bits) as oppose to system-widely? It would be great to have IPA capable of that - perhaps an "enhancement" to future releases. many thanks, L.

2 minutes

2
4
0 / 0

missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"

by Brian J. Murrell

I'm trying to add a replica but it's failing on step "[23/38]: creating DS keytab" with: [error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/server.example.com(a)EXAMPLE.COM', '-H', 'ldaps://server-staging.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method…\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n') This is trying to add back an ipa server that was previously removed (for O/S major version upgrade per the supported upgrade/migration process). Maybe the previous removal was not complete? After running the recommended --uninstall and then examining the principals in the master server, I see an ldap/server.example.com(a)EXAMPLE.COM still remaining. Surely that should not be there, correct? So I tried to remove it, but that gave yet another error: missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal" and logged the error: ERR - oc_check_required - Entry "krbprincipalname=ldap/server.example.com(a)EXAMPLE.COM,cn=services,cn=accounts,dc=interlinx,dc=bc,dc=ca" missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal" in the journal. So how to proceed now?

8 minutes

3
5
0 / 0

IPA removal/uninstall renders box unable to login, including console - ?

by lejeczek

Hi guys. Has anybody seen, experienced that/similar? - this is a second master from which I uninstalled IPA successfully, cleanly and immediately after reboot system does not login users(not even tty console) Something to do with SELinux/fcontext - I had to def-policy-relabeled whole '/etc' many thanks, L.

32 minutes

2
5
0 / 0

[SSSD] Announcing SSSD 2.6.3

by Pavel Březina

# SSSD 2.6.3 The SSSD team is proud to announce the release of version 2.6.3 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.6.3 See the full release notes at: https://sssd.io/release-notes/sssd-2.6.3.html RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### Important fixes * A regression introduced in sssd-2.6.2 in the IPA provider that prevented users from login was fixed. Access control always denied access because the selinux_child returned an unexpected reply. * A critical regression that prevented authentication of users via AD and IPA providers was fixed. LDAP port was reused for Kerberos communication and this provider would send incomprehensible information to this port. * When authenticating AD users, backtrace was triggered even though everything was working correctly. This was caused by a search in the global catalog. Servers from the global catalog are filtered out of the list before writing the KDC info file. With this fix, SSSD does not attempt to write to the KDC info file when performing a GC lookup.

3 hours, 34 minutes

1
0
0 / 0

Need help with confusing query results

by Edward Valley

Hi there. I'm using latest FreeIPA available on Rocky Linux 8.5 VERSION: 4.9.6, API_VERSION: 2.245 When I run the following LDAP query: ldapsearch -H "ldap://idm-host:389" -x -s sub \ -D "cn=Directory Manager" -w "dm-password" \ -b "cn=users,cn=accounts,dc=..." \ '(objectClass=inetOrgPerson)' \ uid entryUUID I get the following result: (entryUUID is present) # user1, users, accounts, ... dn: uid=user1,cn=users,cn=accounts,dc=... uid: user1 entryUUID: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee # user2, users, accounts, ... dn: uid=user2,cn=users,cn=accounts,dc=... uid: user2 entryUUID: aaaaaaaa-bbbb-cccc-dddd-ffffffffffff But, when I use this query: ldapsearch -H "ldap://idm-host:389" -x -s sub \ -D "cn=Directory Manager" -w "dm-password" \ -b "cn=users,cn=accounts,dc=..." \ '(&(objectClass=inetOrgPerson)(uid=user1))' \ uid entryUUID The result is this one: (No entryUUID attribute) # user1, users, accounts, ... dn: uid=user1,cn=users,cn=accounts,dc=... uid: user1 Can somebody please guide me on what's happening here? If you need more info just tell me. Thank you very much.

5 hours, 26 minutes

3
3
0 / 0

IPA yubikey duo

by Per Qvindesland

Hi Is there any information on how to implement IPA with yubikey duo? I had a look and it seems straightforward enough to implement duo and ssh https://duo.com/docs/duounix but it would be nice to be able to manage it through ipa. Regards Per Sent from my Commodore 64

1 day, 1 hour

2
1
0 / 0

CA - does it make sense with globbing/wildcard

by lejeczek

Hi guys I'm for the first time contemplating CA service from a public CA to subordinate IPA to it - would it make sense with a *.sub.domain cert, if such one cert one already has from that public CA, to still want to sub IPA's CA? (not a CA expert so go easy on me) many thanks, L.

1 day, 1 hour

2
3
0 / 0

Some ipa user passwords did not work after update

by Ronald Wimmer

On December the 30th we have updated the following packages on our IPA servers: Package list: 0:ipa-client-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.x86_64 0:ipa-client-common-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:ipa-common-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:ipa-selinux-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:ipa-server-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.x86_64 0:ipa-server-common-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:ipa-server-trust-ad-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.x86_64 0:python3-ipaclient-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:python3-ipalib-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:python3-ipaserver-4.9.6-10.0.1.module+el8.5.0+20451+6c55862e.noarch 0:389-ds-base-1.4.3.23-12.module+el8.5.0+20461+fe0fe228.x86_64 0:389-ds-base-libs-1.4.3.23-12.module+el8.5.0+20461+fe0fe228.x86_64 0:python3-lib389-1.4.3.23-12.module+el8.5.0+20461+fe0fe228.noarch 0:systemd-239-51.0.1.el8_5.3.x86_64 0:systemd-libs-239-51.0.1.el8_5.3.x86_64 0:systemd-pam-239-51.0.1.el8_5.3.x86_64 0:systemd-udev-239-51.0.1.el8_5.3.x86_64 0:kernel-4.18.0-348.7.1.el8_5.x86_64 0:kernel-core-4.18.0-348.7.1.el8_5.x86_64 0:kernel-modules-4.18.0-348.7.1.el8_5.x86_64 0:kernel-tools-4.18.0-348.7.1.el8_5.x86_64 0:kernel-tools-libs-4.18.0-348.7.1.el8_5.x86_64 0:kexec-tools-2.0.20-57.0.3.el8_5.1.x86_64 0:libipa_hbac-2.5.2-2.0.1.el8_5.3.x86_64 0:libsss_autofs-2.5.2-2.0.1.el8_5.3.x86_64 0:libsss_certmap-2.5.2-2.0.1.el8_5.3.x86_64 0:libsss_idmap-2.5.2-2.0.1.el8_5.3.x86_64 0:libsss_nss_idmap-2.5.2-2.0.1.el8_5.3.x86_64 0:libsss_simpleifp-2.5.2-2.0.1.el8_5.3.x86_64 0:libsss_sudo-2.5.2-2.0.1.el8_5.3.x86_64 1:openssl-1.1.1k-5.el8_5.x86_64 1:openssl-libs-1.1.1k-5.el8_5.x86_64 1:openssl-perl-1.1.1k-5.el8_5.x86_64 0:oraclelinux-release-el8-1.0-21.el8.x86_64 0:python3-libipa_hbac-2.5.2-2.0.1.el8_5.3.x86_64 0:python3-libsss_nss_idmap-2.5.2-2.0.1.el8_5.3.x86_64 0:python3-perf-4.18.0-348.7.1.el8_5.x86_64 0:python3-sss-2.5.2-2.0.1.el8_5.3.x86_64 0:python3-sss-murmur-2.5.2-2.0.1.el8_5.3.x86_64 0:python3-sssdconfig-2.5.2-2.0.1.el8_5.3.noarch 0:selinux-policy-3.14.3-80.0.2.el8_5.2.noarch 0:selinux-policy-targeted-3.14.3-80.0.2.el8_5.2.noarch 0:sssd-client-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-common-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-common-pac-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-dbus-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-ipa-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-kcm-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-krb5-common-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-nfs-idmap-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-tools-2.5.2-2.0.1.el8_5.3.x86_64 0:sssd-winbind-idmap-2.5.2-2.0.1.el8_5.3.x86_64 0:systemd-239-51.0.1.el8_5.2.x86_64 0:systemd-libs-239-51.0.1.el8_5.2.x86_64 0:systemd-pam-239-51.0.1.el8_5.2.x86_64 0:systemd-udev-239-51.0.1.el8_5.2.x86_64 0:kernel-uek-5.4.17-2136.302.6.1.el8uek.x86_64 After having updated these packages some of our ipa users (including admin) were not able to log in anymore. Fortunately, some users still worked allowing us to reset the passwords of the respective users. Can this be update related or is it just a coincidence? We had to reset the passwords and no time to hunt the problem down. But what can possibly have caused this? Cheers, Ronald

1 day, 4 hours

3
13
0 / 0

dependency blocks to install ipa-server on Centos 7

by Kathy Zhu

Hi List, When I tried to install ipa-server on Centos 7, I ran into the following: Error: Package: ipa-server-4.6.8-5.el7.centos.10.x86_64 (updates) Requires: mod_wsgi Available: mod_wsgi-3.4-18.el7.x86_64 (base) mod_wsgi = 3.4-18.el7 Available: python36-mod_wsgi-4.6.2-2.el7.ius.x86_64 (ius) mod_wsgi = 4.6.2 After upgrading to the latest, it's still the same. Does anyone know how to get by this? Many thanks! Kathy.

3 days, 20 hours

2
2
0 / 0

parse the audit logs

by Kathy Zhu

Hello list, I had FreeIPA audit log on. I feed audit logs to Graylog. Since there are multiple lines of logs for each event, I could not find a suitable extractor to parse the logs. Therefore, the logs are very hard to read. Could anyone in the list share how you process the logs if you are in a similar situation? Thanks! Kathy.

3 days, 21 hours

2
2
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2022